b'      Department of Homeland Security\n\n\n\n\n\n         IT Matters Related to the United States \n\n        Coast Guard Component of the FY 2011 \n\n             DHS Financial Statement Audit \n\n\n\n\n\nOIG-12-49                                            March 2012\n\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                  March 14, 2012\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency,\nand effectiveness within the Department.\n\nThis report presents the information technology (IT) management letter for the United\nStates Coast Guard component of the fiscal (FY) 2011 DHS consolidated financial\nstatement audit as of September 30, 2011. It contains observations and recommendations\nrelated to information technology internal control weaknesses that were summarized in the\nIndependent Auditors\xe2\x80\x99 Report dated November 11, 2011 and presents the separate restricted\ndistribution report mentioned in that report. The independent accounting firm KPMG LLP\n(KPMG) performed the audit procedures at the Coast Guard component in support of the\nDHS FY 2011 consolidated financial statement audit and prepared this IT management\nletter. KPMG is responsible for the attached IT management letter and the conclusions\nexpressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or internal\ncontrol or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed with those responsible for implementation. We trust that\nthis report will result in more effective, efficient, and economical operations. We express\nour appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Frank Deffer\n                                      Assistant Inspector General\n                                      Office of Information Technology Audits\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\nFebruary 16, 2012\n\nActing Inspector General\nU.S. Department of Homeland Security\nChief Information Officer and\nChief Financial Officer\nU.S. Coast Guard\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2011 and the related statement of custodial activity for the year\nthen ended (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2011 financial statements\xe2\x80\x9d). The objective\nof our audit was to express an opinion on the fair presentation of these financial statements. We\nwere also engaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the\nbalance sheet as of September 30, 2011, and statement of custodial activity for the year then\nended, based on the criteria established in Office of Management and Budget, Circular No. A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control, Appendix A. In connection with our audit, we\nalso considered DHS\xe2\x80\x99 compliance with certain provisions of applicable laws, regulations,\ncontracts, and grant agreements that could have a direct and material effect on the FY 2011\nfinancial statements.\nOur Independent Auditors\xe2\x80\x99 Report issued on November 11, 2011, describes a limitation on the\nscope of our audit that prevented us from performing all procedures necessary to express an\nunqualified opinion on DHS\xe2\x80\x99 FY 2011 financial statements and internal control over financial\nreporting. In addition, the FY 2011 DHS Secretary\xe2\x80\x99s Assurance Statement states that the\nDepartment was unable to provide assurance that internal control over financial reporting was\noperating effectively at September 30, 2011.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to\nmerit attention by those charged with governance. In accordance with Government Auditing\nStandards, our Independent Auditors\xe2\x80\x99 Report, dated November 11, 2011, included internal control\ndeficiencies identified during our audit, that individually, or in aggregate, represented a material\nweakness or a significant deficiency. This letter represents the separate limited distribution report\nmentioned in that report.\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, security management, contingency planning, and segregation of duties with respect to\nDHS\xe2\x80\x99 financial systems general Information Technology (IT) controls which we believe contribute\nto a DHS-level significant deficiency that is considered a material weakness in IT controls and\nfinancial system functionality. We also noted that in some cases, financial system functionality is\ninhibiting DHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications\ncontrols supporting financial data processing and reporting. These matters are described in the\nGeneral IT Control Findings and Recommendations section of this letter.\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cAlthough not considered to be a material weakness, we also noted certain other items during our\naudit engagement which we would like to bring to your attention. These matters are also described\nin the General IT Control Findings and Recommendations section of this letter.\nThe material weakness and other comments described herein have been discussed with the\nappropriate members of management, or communicated through a Notice of Finding and\nRecommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of\nDHS\xe2\x80\x99 organization gained during our audit engagement to make comments and suggestions that we\nhope will be useful to you. We have not considered internal control since the date of our\nIndependent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key DHS financial systems within the scope of the FY 2011 DHS financial statement\naudit engagement in Appendix A; a description of each internal control finding in Appendix B; and\nthe current status of the prior year NFRs in Appendix C. Our comments related to financial\nmanagement and reporting internal controls (comments not related to IT) have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General (OIG), U.S. Office of Management and Budget (OMB), U.S. Government\nAccountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                                       Department of Homeland Security\n\n                                          United States Coast Guard\n\n                                   Information Technology Management Letter\n                                              September 30, 2011\n\n                    INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n\n                                            TABLE OF CONTENTS\n\n\n                                                                                                    Page\n\nObjective, Scope, and Approach                                                                       1\n\n\nSummary of Findings and Recommendations                                                              2\n\n\nGeneral IT Control Findings and Recommendations                                                      4\n\nRelated to IT Controls                                                                               4\n\n        Configuration Management                                                                     4\n\n\n        Access Controls                                                                              5\n\n\n        Security Management                                                                          5\n\n\n            After-Hours Physical Security Testing                                                    5\n\n\n            Social Engineering Testing                                                               6\n\n\nRelated to Financial System Functionality                                                            9\n\n\nApplication Controls                                                                                 10\n\n\n\n\n                                                APPENDICES\nAppendix                                            Subject                                         Page\n   A\t        Description of Key Coast Guard Financial Systems within the Scope of the FY 2011 DHS    11\n\n             Financial Statement Audit\n\n\n   B\t        FY 2011 Notices of IT Findings and Recommendations at Coast Guard                       14\n\n\n                \xef\xbf\xbd    Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings         15\n\n\n   C         Status of Prior Year Notices of Findings and Recommendations and Comparison to          18\n\n             Current Year Notices of Findings and Recommendations at Coast Guard\n\n\n   D         Report Distribution                                                                     20\n\n\n\n\n\n             Information Technology Management Letter for the United States Coast Guard\n\n                      Component of the FY 2011 DHS Financial Statement Audit\n\n\x0c                            Department of Homeland Security\n\n                               United States Coast Guard\n\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n                        OBJECTIVE, SCOPE, AND APPROACH\n\nWe were engaged to audit DHS\xe2\x80\x99 balance sheet as of September 30, 2011, and the related statement of\ncustodial activity for the year then ended, we performed an evaluation of general information\ntechnology controls (GITC) at Coast Guard, to assist in planning and performing our audit.\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the GAO, formed the\nbasis of our GITC evaluation procedures. The scope of the GITC evaluation is further described in\nAppendix A. FISCAM was designed to inform financial auditors about IT controls and related audit\nconcerns to assist them in planning their audit work and to integrate the work of auditors with other\naspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the\nscope and extent of review that generally should be performed when evaluating general controls and\nthe IT environment of a federal agency. FISCAM defines the following five control functions to be\nessential to the effective operation of the GITC environment.\n\n\xef\xbf\xbd\t   Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity\n     for managing risk, developing security policies, assigning responsibilities, and monitoring the\n     adequacy of computer-related security controls.\n\xef\xbf\xbd\t   Access Control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n     programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n     disclosure.\n\xef\xbf\xbd\t   Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of\n     unauthorized programs or modifications to existing programs.\n\xef\xbf\xbd\t   Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n     structure to prevent one individual from controlling key aspects of computer-related operations,\n     thus deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t   Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n     without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit procedures, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed within select Coast Guard\nfacilities, and focused on test, development, and production devices that directly support Coast\nGuard\xe2\x80\x99s financial processing and key general support systems. Limited social engineering and after-\nhours physical security testing was also included in the scope of technical security testing.\n\nApplication controls were tested for the year ending September 30, 2011, which were identified by\nthe financial audit team as being key controls.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 1\n\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n              SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2011, Coast Guard took corrective action to address nearly half of the prior year IT\ncontrol weaknesses. For example, Coast Guard made improvements by strengthening its system\nsecurity settings over some of its systems located at the Operations Systems Center (OSC), Aviation\nLogistics Center (ALC), and USCG Finance Center (FINCEN); strengthening controls over audit log\nreviews at ALC; and improving data center controls at OSC and ALC. However, during FY 2011, we\ncontinued to identify general IT control weaknesses at Coast Guard. The most significant weaknesses\nfrom a financial statement audit perspective are related to the controls over authorization,\ndevelopment, implementation, and tracking of IT scripts at FINCEN. These IT control deficiencies\nlimited Coast Guard\xe2\x80\x99s ability to ensure that critical financial and operational data were maintained in\nsuch a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies\nnegatively impacted the internal controls over Coast Guard financial reporting and its operation and\nwe consider them to contribute to a material weakness at the Department level under standards\nestablished by the American Institute of Certified Public Accountants. In addition, based upon the\nresults of our test work, we noted that the Coast Guard did not fully comply with the Department\xe2\x80\x99s\nrequirements under the Federal Financial Management Improvement Act (FFMIA).\nIn FY 2011, our IT audit work identified 21 IT findings; of which 16 were repeat findings from the\nprior year and 5 were new findings. In addition, we determined that Coast Guard remediated 11 IT\nfindings identified in previous years. Specifically, the Coast Guard took actions to improve aspects of\nits system password settings, data center physical security, and scanning for system vulnerabilities.\nThe Coast Guard\xe2\x80\x99s remediation efforts have enabled us to expand our test work into areas that\npreviously were not practical to test, considering management\xe2\x80\x99s acknowledgment of the existence of\ncontrol deficiencies.\nCollectively, these findings represent deficiencies in three of the five FISCAM key control areas. The\nFISCAM areas impacted included Security Management, Access Control, and Configuration\nManagement. We also considered the effects of financial systems functionality when testing internal\ncontrols since key Coast Guard financial systems are not compliant with FFMIA and are no longer\nsupported by the original software provider. Financial system functionality limitations add to the\nchallenge of addressing systemic internal control weaknesses and strengthening the control\nenvironment at the Coast Guard.\nThe majority of the findings indicate a lack of properly designed, detailed, and consistent guidance\nover financial system controls to enforce DHS Sensitive System Policy Directive 4300A requirements\nand National Institute of Standards and Technology guidance. Specifically, the findings stem from 1)\npoorly, but improving, designed and operating IT script change control policies and procedures, 2)\nunverified access controls through the lack of user access privilege re-certifications, 3) entity-wide\nsecurity program issues involving civilian and contractor background investigation weaknesses, 4)\ninadequately designed and operating audit log review policies and procedures, 5) physical security\nand security awareness, and 6) role-based training for individuals with elevated responsibilities.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 2\n\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and Coast Guard financial data could be exploited thereby compromising the integrity of\nfinancial data used by management and reported in DHS\xe2\x80\x99 consolidated financial statements.\nWhile the recommendations made by us should be considered by Coast Guard, it is the ultimate\nresponsibility of Coast Guard management to determine the most appropriate method(s) for\naddressing the weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 3\n\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n        GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nConditions: During the FY 2011 DHS Financial Statement Audit, Coast Guard segment, we\nidentified the following IT and financial system control deficiencies that in the aggregate significantly\ncontribute to the material weakness at the Department level. Our findings are divided into two\ngroupings: 1) financial systems controls and 2) IT system functionality.\nRelated to IT Controls\nConfiguration Management\nWe noted that Coast Guard\xe2\x80\x99s core financial system configuration management process controls are\nnot operating effectively, and continue to present risks to DHS financial data confidentiality,\nintegrity, and availability. Financial data in the general ledger may be compromised by automated\nand manual changes that are not adequately controlled. For example, the Coast Guard uses an IT\nscripting process to make updates to its core general ledger software as necessary to process financial\ndata. During our FY 2011 testing, we noted that some previously identified control deficiencies were\nremediated, while other deficiencies continued to exist. Four key areas continue to impact the Coast\nGuard IT script control environment, as follows:\n\xef\xbf\xbd\t Script testing \xe2\x80\x93 limited guidance exists to guide Coast Guard staff in the development of test plans\n   and to support the completion of functional testing;\n\xef\xbf\xbd\t Script audit logging \xe2\x80\x93 controls supporting audit logs are not consistently implemented to log\n   privileged user actions, and to ensure that only approved scripts are executed;\n\xef\xbf\xbd\t Script approvals and recertification \xe2\x80\x93 the recertification reviews conducted by the Coast Guard\n   were not comprehensive to include all user roles associated with the Mashups and Dimensions\n   systems. Additionally, the documentation retained in support of the reviews was not adequately\n   completed in accordance with policy throughout the year; and\n\xef\xbf\xbd\t Script recording \xe2\x80\x93 test and production data is not consistently recorded, and there are limited\n   controls to ensure data accuracy. Additionally, field reconciliation discrepancies are not always\n   consistently documented and explained.\nIn addition, we noted weaknesses in the script change management process as it relates to the Internal\nControl over Financial Reporting process (e.g., the financial statement impact of the changes to\nFINCEN core accounting system through the script change management process). The Coast Guard\nhas not fully developed and implemented procedures to ensure that a script, planned to be run in\nproduction, has been through an appropriate level of review by a group of individuals thoroughly\nassessing if the script would have a financial statement impact. Internal controls that ensure the\nreliability of the scripting process must be effective throughout the year, but most importantly during\nthe year-end close-out and financial reporting process.\nWe further noted that software change request forms for one of the key financial systems were not\nalways appropriately authorized.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 4\n\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nAccess Controls\n\xef\xbf\xbd\t Audit log reviews for key financial systems are not being conducted on all key information.\n\xef\xbf\xbd\t New user access forms do not contain required supervisor approvals, as well as some new users\n   were granted access before their form was approved.\n\xef\xbf\xbd\t User roles were changed without required prior approval.\n\xef\xbf\xbd\t Access review procedures (recertifications) for key financial applications do not include the\n   review of all user accounts to ensure that all terminated individuals no longer have active\n   accounts, that inactive accounts are locked, and that privileges associated with each individual are\n   still authorized and necessary.\n\xef\xbf\xbd\t Data Center visitor access logs are not consistently completed fully and appropriately.\n\nSecurity Management\n\xef\xbf\xbd\t Background investigations for all civilian employees have not been completed and Coast Guard\xe2\x80\x99s\n   civilian position sensitivity designation process is not in compliance with DHS guidance.\n\xef\xbf\xbd\t Background investigations for all contractor employees have not been completed.\n\xef\xbf\xbd\t Not all Information Assurance (IA) professionals have the required certification or evidence of\n   Continuing Professional Education (CPE) as required by Coast Guard policy.\n\xef\xbf\xbd\t Support documentation for incident tickets did not provide sufficient evidence to determine\n   whether the incidents were properly tracked and resolved.\n\n\xef\xbf\xbd\t There is a lack of a consistent contractor, civilian and military account termination notification\n   process for Coast Guard systems.\n\xef\xbf\xbd\t During our after-hours physical security and social engineering testing, we identified exceptions\n   in the protection of sensitive user account information. The table below details the exceptions\n   identified at the various locations tested.\n\nAfter-Hours Physical Security Testing\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of\nIT security. These non-technical IT security aspects include physical access to media and equipment\nthat houses financial data and information residing on a Coast Guard employee\xe2\x80\x99s/contractor\xe2\x80\x99s desk,\nwhich could be used by others to gain unauthorized access to systems housing financial information.\nThe testing was performed at various Coast Guard locations that process and/or maintain financial\ndata. The table on the following page provides a summary of our testing results.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 5\n\n\x0c                                   Department of Homeland Security\n\n                                      United States Coast Guard\n\n                               Information Technology Management Letter\n                                          September 30, 2011\n\n                       Weaknesses Observed During After Hours Physical Security Testing\n                                                      Coast Guard Locations Tested\n                                    Coast Guard Coast Guard Surface Forces                Aviation\n                                    Headquarters         Finance         Logistics        Logistics        Total\n                                        (HQ)              Center      Center (SFLC)        Center      Exceptions\n     Exceptions Noted (1)                               (FINCEN)                           (ALC)         by Type\nPasswords (2)                             3                  5                6              3              17\nCommon Access Card                        0                  0                0              1              1\nServer Names/IP Addresses                 0                 2                 0              0              2\nAccess to Data Center (3)                 0                  0                0              1              1\nGovernment Credit Card                    0                  0                0              1              1\nNumber\nFor Official Use Only (FOUO)              7                  1               17              0              25\nmaterial\nPersonal Identifiable                     0                 3                 0              0              3\nInformation (PII)\nKeys that opened cabinets that            1                 0                 0              0              1\nexposed an exception\nUnsecured External Hard Drives            1                  0                1              0              2\nUnsecure Secure Toke IDs                  1                 0                 0              0              1\nUnsecured Laptops                         1                 0                 0              0              1\nTotal Exceptions by Location             14                 11               24              6              55\nSource: Coast Guard management, OIG, and KPMG direct observation and inspection of work areas.\nNote: The following number of cubicles/desks were examined for each location:\n     HQ \xe2\x80\x93 35\n     FINCEN \xe2\x80\x93 60\n     SFLC \xe2\x80\x93 25\n     ALC \xe2\x80\x93 25\n (1) The number of exceptions may differ from the actual number of exceptions found at a cubicle/desk. For\n     example, one cubicle had 3 passwords, but this was only recorded as 1 exception.\n (2) Attempts to login to the systems with the identified passwords were not performed. However, we assumed that\n     the identified passwords were valid passwords.\n (3) With a temporary visitor badge, we were able to access the ALC data center.\n\nSocial Engineering Testing\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or\nallowing/enabling computer system access. The term typically applies to deception for the purpose of\ninformation gathering, or gaining computer system access, as shown in the following table.\n\n\nLocation                              Total          Total             Number of people who provided a\n                                      Called         Answered          password\nUSCG Headquarters (HQ)                     40              12                            1\nCoast Guard FINCEN                         70              29                            1\nSurface Forces Logistics Center            40              19                            3\n(SFLC)\nAviation Logistics Center (ALC)            40              20                              6\n\n\n\n           Information Technology Management Letter for the United States Coast Guard\n\n                    Component of the FY 2011 DHS Financial Statement Audit\n\n                                            Page 6\n\n\x0c                             Department of Homeland Security\n                                United States Coast Guard\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nRecommendations: We recommend that the Coast Guard Chief Information Officer and Chief\nFinancial Officer, in coordination with the DHS Office of Chief Financial Officer and the DHS Office\nof the Chief Information Officer, make the following improvements to Coast Guard\xe2\x80\x99s financial\nmanagement systems and associated information technology security program.\nConfiguration Management\n\xef\xbf\xbd\t Continue to update the procedures, tools, and associated training to better address script record\n    documentation reviews and provide training to impacted staff ;\n\xef\xbf\xbd\t Continue to improve and better document the script audit logging processes and associated\n    technical implementations in compliance with Coast Guard software development lifecycle\n    (SDLC) and configuration management (CM) policies and procedures;\n\xef\xbf\xbd\t Continue to improve and better document script approvals; define and implement script\n    management and execution tool user access/account recertification procedures; and update\n    associated training and provide that training to impacted staff;\n\xef\xbf\xbd\t Continue to improve and better document script testing requirements and associated technical\n    implementations and test environments in compliance with Coast Guard SDLC and CM policies\n    and procedures;\n\xef\xbf\xbd\t Continue to improve the script change management process and other associated internal controls\n    as these relate to the financial statement impact of the changes to the CAS Suite financial\n    databases;\n\xef\xbf\xbd\t Continue to implement policy regarding approval of scripts that impact financial statements; and\n\xef\xbf\xbd\t ALC management should update its Configuration Management/Quality Assurance (CM/QA)\n    procedures to include a final comprehensive review step and associate signature prior to actual\n    Software Change Request implementation. This will better ensure that all of the required change\n    activities have been reviewed and verified prior to implementation.\nAccess Controls\n\xef\xbf\xbd\t Include specific applicable DHS policy directive 4300A requirements and mechanisms by which\n   these can be verified in the service provider\xe2\x80\x99s contract when that contract is re-competed in FY\n   2012;\n\xef\xbf\xbd\t Update the test procedures to more thoroughly address the management of identified test account\n   and other accounts used for maintenance purposes;\n\xef\xbf\xbd\t Complete its legal review of the Coast Guard\xe2\x80\x99s account authorization retention policy and\n   implement standard operating procedures to support it;\n\xef\xbf\xbd\t Update the SFLC NESSS (Naval and Electronics Supply Support System) Access/User Control\n   Process Guide to a) not allow phone call approvals, and b) update the account profile review\n   processes to further reduce the risks associated with the lack of logging associated with user\n   profile changes;\n\xef\xbf\xbd\t Continue with implementing its new and more robust audit tool and account\n   review/recertification process;\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 7\n\n\x0c                            Department of Homeland Security\n\n                               United States Coast Guard\n\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\xef\xbf\xbd\t Update its NESSS account management procedures and associated e-mail notifications to require\n   an explicit acknowledgement of review by the supervisor and change the account recertification\n   completion date to coincide with the end of the fiscal year;\n\xef\xbf\xbd\t Review current NESSS roles and make any adjustments to these roles so that the allowable\n   actions do not exceed those necessary to accomplish assigned tasks in accordance with\n   organizational missions and business functions;\n\xef\xbf\xbd\t Centralize, integrate, and enforce the requesting, management, review, and reporting of the\n   addition, modification, and deletion of NESSS users;\n\xef\xbf\xbd\t Enhance existing OSC data center policies and procedures to include content of the visitor logs\n   and their associated reviews; and\n\xef\xbf\xbd\t Develop and provide additional visitor training to staff who have access to the data center floor\n   and who may also escort visitors on the data center floor.\nSecurity Management\n\xef\xbf\xbd\t Continue to vett the FINCEN staff through the Minimum Background Investigation (MBI)\n   clearance process and identify the positions that have financial impact and proceed with MBIs for\n   those positions;\n\xef\xbf\xbd\t Continue to identify and record the contractor positions that have a financial impact and proceed\n   with MBIs for those positions;\n\xef\xbf\xbd\t Continue to improve its IA Professional certification tracking and data gathering procedures to\n   better ensure accurate representation of IA Professional competencies and continue to incorporate\n   IA Certification clauses into applicable contracts;\n\xef\xbf\xbd\t Continue existing efforts to plan, develop, document, and implement enterprise-wide processes\n   that will notify all impacted system owners of terminated, transferred, or retired contractor,\n   military , and civilian personnel;\n\xef\xbf\xbd\t Review and update its Incident Response procedures to better address incident ticket management\n   including ticket closure and required supporting document.\n\xef\xbf\xbd\t Define and implement an Incident Response Ticket review, tracking, and audit process that is\n   automated to the greatest extent possible using tools such as Trusted Agent FISMA (TAF) and/or\n   other project management systems to support long term and enterprise-wide efforts.\n\xef\xbf\xbd\t Update Coast Guard Instruction/Policy to require quarterly physical security sweeps and to\n   require Information System Security Officers (ISSOs) to conduct quarterly social engineering and\n   physical security inspections of their areas and canvas personnel to confirm that their unit is\n   employing good security practices;\n\xef\xbf\xbd\t Update the Security Awareness and Training content to reflect the lasts requirements from the\n   Committee on National Security Systems, Department of Defense, and DHS policy pertaining to\n   the physical protection of sensitive information;\n\xef\xbf\xbd\t Instruct ISSOs and other USCG security officers to more rigorously enforce COMDTINST\n   5500.13 as defined in the \xe2\x80\x9cAdministrative Action\xe2\x80\x9d section which identifies proper procedures for\n   responding to first, second, third, and fourth violations of policy;\n\xef\xbf\xbd\t Review and update the Coast Guard\xe2\x80\x99s Security Awareness and Training content to enhance the\n   social engineering and phishing discussions; and\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 8\n\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n\xef\xbf\xbd\t Direct units to perform supervised social engineering tests to further reinforce annual training and\n   best practices.\n\n\nRelated to Financial System Functionality\nConditions: We noted that certain financial system functionality limitations are contributing to\ncontrol deficiencies, inhibiting progress on corrective actions for Coast Guard, and preventing the\nCoast Guard from improving the efficiency and reliability of its financial reporting processes. Some\nof the financial system limitations lead to extensive manual and redundant procedures to process\ntransactions, to verify the accuracy of data, and to prepare financial statements. Systemic conditions\nrelated to financial system functionality include:\n\xef\xbf\xbd\t As noted above, Coast Guard\xe2\x80\x99s core financial system configuration management process is not\n   operating effectively due to inadequate controls over IT scripts. The IT script process was\n   instituted as a solution primarily to compensate for system functionality and data quality issues.\n\xef\xbf\xbd\t Financial system audit logs are not readily generated and reviewed, as some of the financial\n   systems continue to lack the capability to perform this task efficiently.\n\xef\xbf\xbd\t The Coast Guard is unable to routinely query its various general ledgers to obtain a complete\n   population of financial transactions, and consequently must create many manual custom queries\n   that delay financial processing and reporting processes.\n\xef\xbf\xbd\t A key Coast Guard financial system is limited in processing overhead cost data and depreciation\n   expenses in support of the property, plant and equipment financial statement line item.\n\xef\xbf\xbd\t Production versions of financial systems are outdated and do not provide the necessary core\n   functional capabilities (e.g., general ledger capabilities).\n\xef\xbf\xbd\t Financial systems functionality limitations are preventing the Coast Guard from establishing\n   automated processes and application controls that would improve accuracy, reliability, and\n   facilitate efficient processing of certain financial data such as:\n   -   Ensuring proper segregation of duties and access rights, such as automating the procurement\n       process to ensure that only individuals who have proper contract authority can approve\n       transactions or setting system access rights within the fixed asset subsidiary ledger;\n   -   Maintaining sufficient data to support Fund Balance with Treasury related transactions,\n       including suspense activity;\n   -   Maintaining adequate posting logic transaction codes to ensure that transactions are recorded\n       in accordance with generally accepted accounting principles ; and\n   -   Tracking detailed transactions associated with intragovernmental business and eliminating the\n       need for default codes such as Trading Partner Identification Number that cannot be easily\n       researched.\nRecommendations: We recommend that the Coast Guard\xe2\x80\x99s Chief Information Officer and Chief\nFinancial Officer update the scripting policies and procedures to include additional and more detailed\ntest documentation, develop training that addresses all aspects of script testing (including weaknesses\nrelated to functional testing, audit logging, approvals and recertifications, and the documentation and\nreview of script records) and provide training to appropriate CM staff, improve the script change\n\n\n       Information Technology Management Letter for the United States Coast Guard\n\n                Component of the FY 2011 DHS Financial Statement Audit\n\n                                        Page 9\n\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nmanagement process and other associate internal controls as they relate to the financial impact of the\nchanges, and make necessary improvements to financial management systems and supporting IT\nsecurity.\n\n\n\n                               APPLICATION CONTROLS\n\nSelect application controls were tested for the year ending September 30, 2011, and no issues were\nidentified associated with those applications selected for testwork.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard\n\n               Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 10\n\n\x0c                                                                                 Appendix A\n                          Department of Homeland Security\n\n                             United States Coast Guard\n\n                      Information Technology Management Letter\n                                 September 30, 2011\n\n\n\n\n                                    Appendix A\n\nDescription of Key Coast Guard Financial Systems within the Scope of\n             the FY 2011 DHS Financial Statement Audit\n\n\n\n\n       Information Technology Management Letter for the United States Coast Guard\n\n                Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 11\n\n\x0c                                                                                                   Appendix A\n                                    Department of Homeland Security\n                                       United States Coast Guard\n                                Information Technology Management Letter\n                                           September 30, 2011\n\n\n\nBelow is a high-level description of significant Coast Guard financial management systems included in the\nscope of the DHS Financial Statement Audit \xe2\x80\x93 Coast Guard Component.\n\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial statements for the\nCoast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in Virginia (VA). The FINCEN is the Coast\nGuard\xe2\x80\x99s primary data center. CAS interfaces with two other systems located at the FINCEN, the Workflow\nImaging Network System and the Financial and Procurement Desktop.\n\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows users to\nenter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS\nsystem and is located at the FINCEN in VA.\n\nWorkflow Imaging Network System (WINS)\nWINS is the document image processing system, which is integrated with an Oracle Developer/2000 relational\ndatabase. WINS allows electronic data and scanned paper documents to be imaged and processed for data\nverification, reconciliation and payment. WINS utilizes MarkView software to scan documents and to view the\nimages of scanned documents and to render images of electronic data received. WINS is interconnected with\nthe CAS and FPD systems and is located at the FINCEN in VA.\n\nJoint Uniform Military Pay System (JUMPS)\nJUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located at the\nPay and Personnel Center (PPC) in Kansas.\n\nDirect Access\nDirect Access is the system of record and all functionality, data entry, and processing of payroll events is\nconducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand (IBM\nAOD) in the iStructure data center facility in Arizona (AZ) with a hot site located in a Qwest data center in VA.\n\nGlobal Pay (Direct Access II)\nGlobal Pay provides retiree and annuitant support services. Global Pay is maintained by IBM AOD in the\niStructure data center facility in AZ with a hot site located in a Qwest data center in VA.\n\nShore Asset Management (SAM)\nSAM is hosted at the Coast Guard\xe2\x80\x99s Operation System Center (OSC) in West Virginia. SAM provides core\ninformation about the USCG shore facility assets and facility engineering. The application tracks activities and\nassist in the management of the Civil Engineering Program and the Facility Engineering Program. SAM data\ncontributes to the shore facility assets full life cycle Program management, facility engineering full life cycle\nProgram management and rationale to adjust the USCG mission needs through planning, budgeting, and project\nfunding. SAM also provides real property inventory and management of all shore facilities, in addition to the\nability to manage and track the facilities engineering equipment and maintenance of that equipment.\n\nNaval and Electronics Supply Support System (NESSS)\n             Information Technology Management Letter for the United States Coast Guard\n\n                       Component of the FY 2011 DHS Financial Statement Audit\n\n                                                Page 12\n\n\x0c                                                                                                    Appendix A\n                                    Department of Homeland Security\n\n                                       United States Coast Guard\n\n                                Information Technology Management Letter\n                                           September 30, 2011\n\nNESSS is one of four automated information systems that comprise the family of Coast Guard logistics systems.\nNESSS is a fully integrated system linking the functions of provisioning and cataloging, unit configuration,\nsupply and inventory control, procurement, depot-level maintenance and property accountability, and a full\nfinancial ledger.\n\nAviation Logistics Management Information System (ALMIS)\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations, configuration\nmanagement, maintenance, supply, procurement, financial, and business intelligence. Additionally, ALMIS\ncovers the following types of information: Financial, Budget, Planning, Aircraft & Crew Status, Training &\nReadiness, and Logistics & Supply. The Aviation Maintenance Management Information System (AMMIS), a\nsubcomponent of ALMIS, functions as the inventory management/fiscal accounting component of the ALMIS\napplication. The Aircraft Repair & Supply Center (ARSC) Information Systems Division (ISD) in North\nCarolina (NC) hosts the ALMIS application. The AMMIS, a subcomponent of ALMIS, functions as the\ninventory management/fiscal accounting component of the ALMIS application.\n\nCG Treasury Information Executive Repository (CG Tier)\nCG TIER is a financial data warehouse containing summarized and consolidated financial data relating USCG\noperations. It is one of several supporting applications within CAS Suite designed to support the core financial\nservices provided by FINCEN. CG TIER provides monthly submissions to DHS Consolidated TIER.\n\n\n\n\n              Information Technology Management Letter for the United States Coast Guard\n\n                       Component of the FY 2011 DHS Financial Statement Audit\n\n                                              Page 13\n\n\x0c                                                                                 Appendix B\n                          Department of Homeland Security\n\n                             United States Coast Guard\n\n                      Information Technology Management Letter\n                                 September 30, 2011\n\n\n\n\n                                    Appendix B\n\n\nFY 2011 Notices of IT Findings and Recommendations at Coast Guard\n\n\n\n\n\n       Information Technology Management Letter for the United States Coast Guard\n\n                Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 14\n\n\x0c                                                                                                     Appendix B\n                                      Department of Homeland Security\n\n                                         United States Coast Guard\n\n                                  Information Technology Management Letter\n                                             September 30, 2011\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditors Report.\n\n          1 \xe2\x80\x93 Not substantial \n\n          2 \xe2\x80\x93 Less significant\n\n          3 \xe2\x80\x93 More significant\n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist the DHS in prioritizing the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n              Information Technology Management Letter for the United States Coast Guard\n\n                       Component of the FY 2011 DHS Financial Statement Audit\n\n                                              Page 15\n\n\x0c                                                                                                                            Appendix B\n                                                         Department of Homeland Security\n                                                            United States Coast Guard\n                                                     Information Technology Management Letter\n                                                                September 30, 2011\n\n\n\n\nFY 2011 NFR #                             NFR Title                               FISCAM Control Area       2011 Severity   New Issue    Repeat Issue\n                                                                                                               Rating\n                Security Awareness Issues Associated with Physical Protection\n CG-IT-11-01                                                                                                     2                            X\n                of Sensitive Information                                             Access Controls\n                Direct Access and Direct Access II User and System\n CG-IT-11-02                                                                                                     1             X\n                Administrator Account Management and Approval                        Access Controls\n                Coast Guard TIER resource owners\xe2\x80\x99 identification of authorized\n CG-IT-11-03                                                                                                     1                            X\n                users                                                                Access Controls\n                Weaknesses Related to Information Assurance Professionals\xe2\x80\x99\n CG-IT-11-04                                                                                                     1                            X\n                Required Certifications                                            Security Management\n CG-IT-11-05    Configuration Management Controls over the Scripting Process     Configuration Management        3                            X\n CG-IT-11-06    Civilian Background Investigations                                 Security Management           2                            X\n CG-IT-11-07    Contractor Background Investigations                               Security Management           2                            X\n                Security Awareness Issues Associated with the Social\n CG-IT-11-08                                                                                                     2                            X\n                Engineering Testing                                                Security Management\n CG-IT-11-09    Operations Systems Center Data Center Visitor Access Logs            Access Controls             1             X\n                Direct Access and Direct Access II Audit Logging and General\n CG-IT-11-10                                                                                                     2                            X\n                IT Control Validation                                                Access Controls\n CG-IT-11-11    AMMIS Software Change Requests Process                           Configuration Management        1                            X\n                Shore Asset Management and Naval and Electronics Supply\n CG-IT-11-12                                                                                                     1                            X\n                Support System Audit Log Review                                    Security Management\n CG-IT-11-13    Direct Access System User Account Recertification                    Access Controls             2                            X\n CG-IT-11-14    NESSS Access Authorizations                                          Access Controls             2                            X\n                Lack of Consistent Contractor, Civilian, and Military Account\n CG-IT-11-15                                                                       Security Management           2                            X\n                Termination Notification Process for Coast Guard Systems\n                Naval & Electronics Supply Support System Users Who Have\n CG-IT-11-16                                                                         Access Controls             2                            X\n                Admin Capabilities\n\n                                Information Technology Management Letter for the United States Coast Guard\n\n                                         Component of the FY 2011 DHS Financial Statement Audit\n\n                                                                Page 16\n\n\x0c                                                                                                               Appendix B\n                                                    Department of Homeland Security\n                                                       United States Coast Guard\n                                                Information Technology Management Letter\n                                                           September 30, 2011\n\nCG-IT-11-17   ALMIS User Recertification                                         Access Controls           2                X\nCG-IT-11-18   Non-Compliance with FFMIA \xe2\x80\x93 Information Technology               Security Management         3                X\n              Weaknesses Associated with the Coast Guard Security Incident\nCG-IT-11-19                                                                    Security Management         1      X\n              Database and Ticket System\n              Access and Configuration Management Controls \xe2\x80\x93 Vulnerability\nCG-IT-11-20                                                                  Configuration Management      2      X\n              Assessment\n              Naval and Electronics Supply Support System User Account\nCG-IT-11-21                                                                      Access Controls           2     X\n              Recertification\n\n\n\n\n                             Information Technology Management Letter for the United States Coast Guard\n\n                                      Component of the FY 2011 DHS Financial Statement Audit\n\n                                                             Page 17\n\n\x0c                                                                               Appendix C\n                        Department of Homeland Security\n\n                           United States Coast Guard\n\n                    Information Technology Management Letter\n                               September 30, 2011\n\n\n\n\n                                 APPENDIX C\n\n Status of Prior Year Notices of Findings and Recommendations \n\n                       and Comparison to\n\nCurrent Year Notices of Findings and Recommendations at Coast \n\n                             Guard\n\n\n\n\n\n     Information Technology Management Letter for the United States Coast Guard\n\n              Component of the FY 2011 DHS Financial Statement Audit\n\n                                     Page 18\n\n\x0c                                                                                                 Appendix C\n                               Department of Homeland Security\n                                  United States Coast Guard\n                           Information Technology Management Letter\n                                      September 30, 2011\n\n                                                                                            Disposition\n\n                                              Description                             Closed       Repeat\n  NFR #\n                 Lack of Consistent Contractor, Civilian, and Military Account\nCG-IT-10-01                                                                                          X\n                 Termination Process for Coast Guard Systems\nCG-IT-10-02      Contractor Background Investigations                                                 X\nCG-IT-10-03      Civilian Background Investigations                                                  X\n                 Lack of implemented guidance related to financial statement impact\nCG-IT-10-04                                                                             X\n                 assessment within the change control process\nCG-IT-10-05      Configuration Management Controls Over the Scripting Process                        X\n                 Security Awareness Issues associated with the Social Engineering\nCG-IT-10-06                                                                                          X\n                 Testing\nCG-IT-10-07      JUMPS Authorized Users Tracking Weakness                               X\nCG-IT-10-08      Coast Guard TIER System \xe2\x80\x93 Password Settings                            X\n                 Security Awareness Issues Associated with Physical Protection of\nCG-IT-10-09                                                                                          X\n                 Sensitive Information\n                 Weaknesses with Specialized Role-based Training for Individuals\nCG-IT-10-10                                                                                          X\n                 with Significant Security Responsibilities\n                 Coast Guard TIER resource owners\xe2\x80\x99 identification of authorized\nCG-IT-10-11                                                                                          X\n                 users\nCG-IT-10-12      User Account Recertification - Direct Access Application                            X\n                 Access and Configuration Management Controls \xe2\x80\x93 Vulnerability\nCG-IT-10-13                                                                             X\n                 Assessment\nCG-IT-10-14      NESSS Access Authorizations                                                         X\nCG-IT-10-15      ALC Data Center and Facility Controls                                  X\nCG-IT-10-16      AMMIS Password Configuration                                           X\n                 Security Awareness Issues associated with Social Engineering\nCG-IT-10-17                                                                                          X\n                 Testing \xe2\x80\x93 Follow-up Testing\nCG-IT-10-18      AMMIS Audit Log Review                                                 X\nCG-IT-10-19      ALMIS User Recertification                                                          X\nCG-IT-10-20      AMMIS Software Change Requests Process                                              X\nCG-IT-10-21      NESSS User Access Recertification                                                   X\nCG-IT-10-22      SAM and NESSS Audit Log Review                                                      X\nCG-IT-10-23      OSC Data Center Access Reviews                                         X\nCG-IT-10-24      Non-Compliance with FFMIA) \xe2\x80\x93 Information Technology                                  X\nCG-IT-10-25      FINCEN Configuration Management Testing Approval Process               X\nCG-IT-10-26      ALC Information Technology Policies and Procedures                     X\nCG-IT-10-27      NESSS Password Configuration                                           X\nCG-IT-10-28      Direct Access Audit Logging                                                         X\n\n\n\n\n          Information Technology Management Letter for the United States Coast Guard\n\n                   Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 19\n\n\x0c                                                                         Appendix D\n                   Department of Homeland Security\n                      United States Coast Guard\n               Information Technology Management Letter\n                          September 30, 2010\n\n\n          Report Distribution\n\n          Department of Homeland Security\n\n          Secretary\n          Deputy Secretary\n          General Counsel\n          Chief of Staff\n          Deputy Chief of Staff\n          Executive Secretariat\n          Under Secretary, Management\n          Commandant, USCG\n          DHS Chief Information Officer\n          DHS Chief Financial Officer\n          Chief Financial Officer, USCG\n          Chief Information Officer, USCG\n          Chief Information Security Officer\n          Assistant Secretary for Office of Policy\n          Assistant Secretary for Office of Public Affairs\n          Assistant Secretary for Office of Legislative Affairs\n          DHS GAO OIG Audit Liaison\n          Chief Information Officer, Audit Liaison\n          USCG Audit Liaison\n\n          Office of Management and Budget\n\n          Chief, Homeland Security Branch\n          DHS OIG Budget Examiner\n\n          Congress\n\n          Congressional Oversight and Appropriations Committees, as\n          appropriate\n\n\n\n\nInformation Technology Management Letter for the United States Coast Guard\n\n         Component of the FY 2011 DHS Financial Statement Audit\n\n                                Page 20\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'